Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

This laptop came into my shop with the FBI screen. After making full backup and scanning with Malwarebytes, Superantispyware, and Symantec Endpoint Protection on my "Server" I was able to actually use the laptop again. But when i go into my documents everything has a .html file extension.

If it is a word document, the file looks like this: "xxxx.docx.html." When I try to open the file it opens up Internet Explorer with a Decrypt Protect screen. Which I know is fake because it is asking me to pay a fee. The link it opens is http://mblblock.in/index.php. I tried to remove the extension but when i try to open the doc or jpeg is says it is corrupted.

Also ran rkill which found nothing. The Antivirus on the machine is McAffee.
I have looked at the backup i made before i did anything and still can open those files from the backup.

I completely reloaded the machine because my customer was in need of the computer. I do have a full backup and still have access the files I want to get back.

Yeah it's a mean one!!! I do not currently have the computer in my shop anymore. I did try the HitmanPRO solution but to no avail .

I DO have all the files here. I have been all over the internet trying to figured this thing out. I thought i would try seeing if anyone here had any thoughts. Hoping some day it will get figured out so i can get this ladies pictures, files, and music back to her. Only 20GB's worth of stuff....

Thanks for the replies. If you got anything else for me i would love to try any possible fixes.

I can't help you with a quick fix but it would be interesting to see the file header on one of the JPEG files. These files have a specific format starting at byte 0. If Windows says the file is corrupt, it means the file header doesn't match the file type (JPG). The only way to look at the header would be to use a hex file viewer. I'm guessing the file header was overlaid with a html header and the URL to the site or it contains a jump code. If the units and picture density data have been over-written, I'm afraid the pictures are gone.

The Start Of Image (SOI) marker will always contain the values FF D8 (hex). The Application Use marker (APP0) will always contain the values FF E0 (hex) and the characters "JFIF" in the marker data. The JFIF characters will be followed by two zeros (00h).

Here's the header format if you want to check to see if it's overlaid in one of the JPEG files:

There may not be a Ransomware Decryption Tool available for the encrypted files.

You could try restoring them from a Previous Version in Windows:
>Rename the file to the original filename (If you know this)
>Right-click the file and select: Properties
>Select the Previous Versions tab
>Select the file from the previous versions found.
>Backup the existing encrypted file
>Click: Restore

Windows should restore the older file and overwrite the encrypted one.

If there is no backup of the files, the above is a long process, but may be worth the effort.

I can't help you with a quick fix but it would be interesting to see the file header on one of the JPEG files. These files have a specific format starting at byte 0. If Windows says the file is corrupt, it means the file header doesn't match the file type (JPG). The only way to look at the header would be to use a hex file viewer. I'm guessing the file header was overlaid with a html header and the URL to the site or it contains a jump code. If the units and picture density data have been over-written, I'm afraid the pictures are gone.

The Start Of Image (SOI) marker will always contain the values FF D8 (hex). The Application Use marker (APP0) will always contain the values FF E0 (hex) and the characters "JFIF" in the marker data. The JFIF characters will be followed by two zeros (00h).

Here's the header format if you want to check to see if it's overlaid in one of the JPEG files:

I also tried what the person did to fix it but i didnt have the registry entries that were in the video. Nor the file he deletes.

I should mention that i restored the backup i made when the machine first came in and tried that fix, thinking that my scans may have found those entries or "deleted" the decrypting key to be able to use the files again.

Ransomware encrypted my files. All files have .html extension

Icons for .HTM/.HTML files show up like text filesHello friends,
I am using Windows 7 Ultimate SP1 64 bit. The icons for firefox HTM/HTML files are
not displayed properly. They are displayed like Text files. I even configured the default icon
for .htm/.html files in FileTypesMan utility. Still in the windows explorer, the files are shown as...

General Discussion

Important files came under attack by ransomware. They are encrypted.Original post below:
------------------------------------------------------------------------------------------
I was using google chrome and none of the pages were loading correctly (including settings). This made me think I needed to do an immediate virus scan. On doing so it detected...

System Security

Encrypted FilesI have a top level folder where all folders, subfolders and files are encrypted.
I purchased these Adobe Lightroom tutorials which are mainly Quicktime formatted. The folders also contain several PDF files. These files where received as Zip files and extracted by me. The folder and file names...

General Discussion

Encrypted filesRecently some damage happened to a user account with lots of encrypted files (virus or something), and now the files aren't accessible, even with that account (which is the original account that encrypted the files in the first place). When trying to decrypt the files, all I get is 'access denied'....

System Security

Cannot access encrypted files even though I never encrypted themI have a 1TB external USB drive (M: for my entire music collection (all legitimately purchased!)
It has always been connected to my desktop. Up until a few weeks ago, my desktop was Win7 32bit Ultimate. A few weeks ago my system died so I got a new one and I installed Win7 64bit Ultimate this...